Smappee Privacy Policy DRAFT

Smappee is committed to safeguarding the privacy of the visitors on our website and the users of the Smappee Energy Services. In this policy we explain how we will handle and protect your personal data.

2. Glossary of terms

In this Privacy Policy document, the following terms are to be understood as:

the online cloud services that consist of the server infrastructure and the software running on these servers

the Apps (iOS, Android) and the websites (such as my.smappee.net and pro.smapppee.net) that provide access to the services

the interfaces to other connected IoT services

all communication and communication protocols between the listed components

This system is continuously evolving and may include additional components in the future.

The term 'Energy' should here be understood in de broadest sense, including — but not limited to — electricity, gas, water, light, battery capacity, consumption, production etc.

'Smappee Energy Services':

The services that are provided by the Smappee Energy Systems.

'Products':

The subject of one or more sales contracts, in this case – but not exclusively limited to – the Smappee Smart Devices, Smappee Energy Services, other hardware, software, websites and web-based services.

3. Where we process data

In this section we explain in what systems of Smappee we process personal data.

3.1 Website and Webshop www.smappee.com

We may process data that originates from the Smappee website and webshop (www.smappee.com), such as:

Details of the order, invoice and shipment

General Payment data. (However, Smappee does not process credit card numbers or other information that was used to authorize payment transactions.)

Data for billing, shipment and logistics

Tracking information, such as IP address, connection time, navigation

Tracking cookies

Newsletter subscriptions

Information request and contact forms

Partner request forms

Webinar subscriptions

We may process data relating to customer orders that the customer provided to Smappee by other means than the Smappee website and webshop.

If you choose to create a webshop user account, we may process the data that you provided for that user account.

3.2 Smappee Energy System

We may process data that are part of the — central and decentral — Smappee Energy Services and Smappee Energy Systems. That refers to data that is being collected and processed by, for example:

systems and servers that make up the Smappee cloud systems

Apps (iOS, Android)

websites and web dashboards that provide access to the Smappee services, such as my.smappee.net and pro.smapppee.net

all communication and communication protocols between the listed components

operational systems used for Research & Development and Testing of our services

This data includes, for example:

measurements from the Smappee distributed devices, including data that is derived from those measurements

internal states and configurations of the Smappee distributed devices

data that you enter in the Smappee Apps or the Web Dashboards

account data and user credentials

network control data

3.3 Our Smappee Office Systems

We may process data in the various operational systems of our offices, in particular the systems used by the Support Team, Reception, Research and Development, and Sales and Marketing Team.

This data includes, for example:

data that you provided to our office systems during the initial request and further correspondence and follow-up with our staff

data that you provided as part of your correspondence

emails or other messages that you sent to us

communication logs (telephony, network)

data from all sources that are in the scope of this Privacy Policy and that is reasonably related to your request, inquiry or correspondence

4. What are the General Categories of Data

In this section we explain the general categories of personal data that we process.

4.1 Account Data

We process account data, which refers to data that identifies you and allows us to get in contact with you. This includes, for example: your name, address, email, telephone number, general payment data, gender, birthdate, hobbies and interest, relationship status and others.

4.2 Technical Data

We process technical data, which refers to all data that we need to provide good and secure services.

This includes, for example, the serial numbers of your devices, the configuration details internal states of your devices and services, the software version of the system components and others. This also includes access credentials needed to process the data of the various Smappee systems.

4.3 Usage Data

We process usage data, which refers to all data that are collected from the Smappee Monitors, other distributed devices, apps, and websites, as well as data resulting from actions and activity of the users.

We may combine this data with other data categories of this privacy policy, and process data that is derived from this data.

This incudes, for example, electrical measurements, geo-location data, detected appliances, events, messages, alerts, internal states of the Smappee Monitors or other distributed devices, and data that is manually entered in the Smappee apps or Websites.

4.4 Interaction Data

We process interaction data, which refers to all data that result from user interaction with our systems, devices, apps, or websites.

This includes, for example, the use of the websites and apps. This also includes browser cookies, for which the Smappee Cookie policy is applicable.

4.5 Network Data

We process network data, which refers to data resulting from network traffic.

This includes, for example, IP address and MAC address.

4.6 Support, Inquiry, Correspondence

We process data for support, inquiry and correspondence, which refers to all data resulting from interaction with our staff, in particular with the Support Team, Reception, Sales Team.

This includes, for example, data that is provided as part of your correspondence, communication logs (telephony, network).

4.7 Survey Data

We may process data gathered as part of surveys, polls and studies.

This data includes, for example, data that identifies you and data that represents your responses.

4.8 Derived Data

We may process derived data, which refers to all data that is a result of combining and analysing data. We may combine data of all of the data categories provided in this Security Policy and data that we received from Third Parties.

4.9 Data from Third Parties

We may process data that we received from Third Parties in order to improve the services and better adapt them to the needs of the users.

4.10 Data of non-customers and prospects

We may process data of persons that are not yet customers of Smappee or Smappee Partners, in order to offer them personal products and services.

4.11 Special Data Categories

Sensitive Data

As required by the privacy law, Smappee does not process sensitive data such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and health.

Appliance Scan Feature

Smappee may process data that is collected as part of the Appliance Scan Feature, for the purpose of improving the detection of appliance activity. This data includes the network identity (MAC address) , timestamps, name, and Vendor of appliances that are connected to the local network.

This feature is inactive by default. If needs to be activated by an expert user before first use. This feature can be activated and deactivated in the Smappee Expert Modus "Enable/disable MAC address arp-scan".

The legal basis for this processing is consent and the performance of a contract. By activating this feature the user agrees to this processing. This consent can be withdrawn at any time by deactivating this feature.

Other Persons data

Please do not supply any other person's personal data to us, unless we prompt you to do so.

5. For what Purpose do we Process your Data

In this section we explain the purposes for which we may process personal data, and the legal bases of the processing.

5.1 Order Fulfilment

Smappee processes data for the purpose of order fulfilment and contract fulfilment:

supplying the goods and services that are part of the order of contract

keeping a proper record of transactions relating to fulfillment of the order or contract

The legal basis for this processing is:

the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract or

5.2 Providing and Improving Smappee Energy Services

Smappee processes data for the purpose of providing the Smappee Energy Services and the Web presence, which includes, for example:

providing the various parts of the Smappee Energy Services

help the user to understand and control energy flows and usage patterns

change the user behaviour according to energy flows and usage patterns

perform benchmarking of energy flows and usage patterns to the level of appliances and users, using various criteria

change the time when energy is used (demand-response and peak-shaving)

create or validate invoices and usage records for energy consumption

in-app notifications

others

These services are continuously evolving and may include new services and features in the future.

The legal basis for this processing is

our legitimate interests

the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

5.3 Operating and Improving the Smappee Services

Smappee processes data for the purpose of continuously improving its product, service and web presence. This includes, for example:

improvement of user experience of products, services and web presence

optimizing the systems

proactively identifying problems

security and fraud prevention

monitoring of systems and services

maintenance of systems

analyze specific or general cases of incidents, issues or problem

The legal basis for this processing is

our legitimate interests

the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

5.4 Providing Value-Added Services

Smappee processes data for the purpose of providing value-added services:

enable Smappee to provide value-added and innovative services to the users

enable Third Parties to provide value-added and innovative services

send advise and recommendations based on consumption patterns

The legal basis for this processing is

our legitimate interests

the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

5.5 Support, Inquiries, Correspondence

Smappee processes data for the purpose of providing support, responding to inquiries and correspondence:

support for any contract, product or service provided by Smappee

support for the installation, configuration and testing of products or services

optimally respond to your support request, inquiry or correspondence

resolve issues, incidents and problems effectively and efficiently

detecting and preventing similar issues in the same or other components of our systems

to proactively reduce occurrence of incidents and problems and improve response to and resolution of further incidents, problems, support requests, inquiries and correspondence

customize and optimize its correspondence to the user

In case Smappee detects an issue with the configuration or other data of accounts, services or remote devices, Smappee may modify the configuration or other data for the involved accounts, services or remote devices.

The legal basis for this processing is

our legitimate interests

the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

5.6 Direct Marketing

We may process the data that is in the scope of this Privacy Policy for the purpose of

Direct Marketing:

send Direct Marketing correspondence

customize and optimize our correspondence to the user

send recommendations based on consumption patterns

contact you to offer, market and sell to you relevant goods and/or services.

The legal basis for this processing is

legitimate interest or

taking steps, at your request, to enter into a contract

You have the right to object to this processing. For more information, see section "Your rights", on page 21 .

5.7 Research and Gaining Insights

We may process the data that is in the scope of this Privacy Policy for the purpose of Research, Investigation and for gaining Business Insights. This includes, for example:

energy usage and production patterns

user behaviour in Apps and Websites

the analysis of long-term trends, evolutions, changes, behaviour and developments

user surveys

The legal basis for this processing is legitimate interest.

5.8 Development

We may process the data that is in the scope of this Privacy Policy for the purpose of System Development. This includes, for example:

development, testing and validation of new systems, components and features

software systems and hardware systems

algorithms and data processing methods

The legal basis for this processing is legitimate interest.

5.9 Other purposes

In addition to the specific purposes for which we may process your personal data set out in this Section , we may also process data from all available sources that are in the scope of this Privacy Policy where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

6. Providing your Data to Others

This section explains to what external parties we may disclose the personal data.

6.1 Company Group

We may disclose your personal data to any member of our group of companies — this means our subsidiaries, our ultimate holding company and all its subsidiaries — insofar as reasonably necessary for the purposes set out in this policy.

6.2 Business Transfers

We may transfer your personal data as part of a merger, acquisition, divestiture, joint venture, or similar transaction of all or a portion of our business or business assets. In that case the receiving entity will assume the rights and obligations regarding your personal information as described in this policy.

6.3 Insurers and Advisors

We may disclose data from all available sources that are in the scope of this Privacy Policy to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.

6.4 Payment Services

Financial transactions may be handled by our payment services providers. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers' privacy policies and practices below.

Payment service Providers:

Multisafepay https://www.multisafepay.com/privacy-cookies/

Paypal https://www.paypal.com/be/webapps/mpp/ua/privacy-prev

6.5 Suppliers and Subcontractors

We may disclose personal data obtained on our Website and Webshop to our suppliers and subcontractors insofar as reasonably necessary for

order handling and shipment

payments

support

operational purposes

6.6 Data Processors

We may disclose personal data that are in the scope of this Privacy Policy to our data processors. The Categories of these Subcontractors are:

marketing providers

hosting providers

integrated third parties

logistics providers

payment providers

problem tracking and support service providers

operational services providers

6.7 Partners for Installation and Support

We may disclose personal data available on our Smappee Energy Systems to Partners insofar as reasonably necessary for

performing the installation and configuration of our products

providing ongoing support

6.8 Partners, Installers, Resellers

If you obtained your Smappee Products or your Smappee Energy Services from any Third Party other than Smappee NV, or if you obtained support for installation, configuration or operations of your Smappee from any other Third Party than Smappee NV, Smappee may disclose your personal data that is in the scope of this Privacy Policy to this Third Party.

Each such Third Party will act as a data controller in relation to the data that we supply to it; and upon contacting you, each such Third Party will supply to you a copy of its own privacy policy, which will govern that Third Party's use of your personal data.

6.9 Third Party Data Controller

We may disclose the data that is in the scope of this Privacy Policy to selected Third Parties for the purposes that are described in section 5, "For what Purpose do we Process your Data", in particular — but not limited to — to contact you so that they can offer, market and sell to you relevant goods and/or services .

Each such Third Party will act as a data controller in relation to the data that we supply to it; and upon contacting you, each such Third Party will supply to you a copy of its own privacy policy, which will govern that Third Party's use of your personal data.

6.10 Integrated Third Party Services

The Smappee Energy Services allow the user to connect and integrate his or her account with Third Party Services. We may disclosure your personal data to these services insofar as reasonably necessary for the purpose of making the corresponding features and functions available.

Note: In those cases where these Third Party Services are located outside the European Union, additional safeguards apply. These safeguards are described in section 7.2.3, "Integrated Third Party Services".

6.11 Remote Access

The Smappee Energy Services provide various way to access your data remotely, such as the "Developers API". Each of these access methods is protected by an authentication process that requires your password.

As explained in section "10 How you can help to keep your personal data secure", Smappee will provide access to your data to anyone who has access to your password or other access credentials during the authentication process.

6.12 If you are a Partner, Installer, or Reseller

If you are a Partner, Installer, or Reseller of Smappee products or services, we may publish your contact information on our website and include it in other sales and marketing communication.

If you wish not to be included in this publications, please let us know (see section "Questions and Requests" on page 23).

6.13 Enquiry Data

We may disclose your enquiry data to Installation Partners and selected Third Party suppliers of goods and services for the purpose of enabling them to contact you so that they can offer, market and sell to you relevant goods and/or services. Each such Third Party will act as a data controller in relation to the enquiry data that we supply to it; and upon contacting you, each such Third Party will supply to you a copy of its own privacy policy, which will govern that Third Party's use of your personal data.

6.14 Publication

You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.

6.15 Others

In addition to the specific disclosures of personal data set out in this Section , we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

7. International transfers of your personal data

In this Section, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

7.1 General

We may disclose your personal data, as described in the section 6, "Providing your Data to Others", to entities outside the EEA, provided the transfer is protected by appropriate safeguards, namely:

the use of standard data protection clauses adopted or approved by the European Commission

participation to the EU-US Privacy Shield

binding corporate Rules

your explicit consent

For detailed information about these transfers and the safeguards, please contact us by email, as described in section "Questions and Requests" on page 23.

7.2 Specific Transfers

Smappee INC

Smappee NV and it's full subsidiary, Smappee INC, have offices and facilities in the United States of America.

Transfers to Smappee INC will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission. (Set II controller – processor, Commission Decision 2010/87/EU, dated 5th February 2010).

New Group Members

In case Smappee establishes new international group member companies, joint ventures, or similar, Smappee may transfer personal data to these entities. This data transfer will be protected by the appropriate safeguards for international transfers.

Integrated Third Party Services

As explained above, the Smappee Energy Services allow the user to connect and integrate his or her account with Third Party Services. The use of these services may require that personal data will be transferred to countries outside the European Union, where data privacy protection cannot be assured.

In these cases, at the time that a user activates the connection to an integrated Third Party Service, Smappee informs the user about the possible risk of such transfers and obtains the consent of the user for such a transfer.

Examples of those services:

IFTTT

Solarcoin

Remote Access

As explained above, the Smappee Energy Services provide various way to access your data remotely, such as the "Developers API".

As explained in section 10, "How you can help to keep your personal data secure", Smappee will provide access to your data to anyone who has access to your password or other access credentials during the authentication process.

The party who gains this type of access to your data may be located outside the EU, where no data protection laws may apply and where the protection of your personal data cannot be assured.

For that reason, the user is not allowed to share the password or other access credentials with anyone else.

8. Retaining and deleting personal data

This Section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

In case you wish to delete the personal data related to your Smappee Energy Services, please use the function "Delete All My Data" in the Smappee App. If you require assistance, please contact Smappee Support.

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary or reasonable for that purpose or those purposes. We may retain personal data longer than this period if it is in our legitimate interest and not prohibited by law.

Notwithstanding the other provisions of this Section , we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

9. Information Security

Smappee is committed to high standards of information security when handling the data of our customers.

All communication between your Smappee devices and the Smappee cloud is encrypted by strong encryption protocols.

We use computer safeguards, such as firewalls and data encryption. We allow access to personal information only for employees that require it to fulfil their job.

10. How you can help to keep your personal data secure

10.1 Do Not Share your Password

Your user account of the Smappee App and the Smappee Dashboard website pro.smappee.com is protected by your personal password.

Anyone who has access to or can guess your user name and password may get access to your personal data of your user account.

This may result in the transfer of your personal data to third parties, inside or outside the European Union, and you may lose any protection that the European Data Protection Laws provide.

Do not share your password of your user account with anyone else!

10.2 Share your App Data with Trusted Persons Only

The Smappee App allows you to share the measurement data of your home ("service location") with other users. When shared, the other users have full access to your personal data.

You can revoke this sharing at any time using your App.

Use this feature only to share your data with people you trust.

10.3 Use Separate Logins for Webshop and App

Please note that the Smappee Webshop (www.smappee.com) uses a different login than the Smappee App and the Dashboard (pro.smappee.net):

The login for the Webshop www.smappee.com is used for purchasing products and services. This login does NOT give access to the Smappee Energy Services.

The login for the Smappee App can be used for accessing the Smappee Energy Services. This login is identical with the login that you can use at the Smappee Dashboard (pro.smappee.net)

We recommend to use different user names and passwords for these two applications.

10.4 Protect your Local Network

The Smappee Monitors use secure protocols with strong encryption when communicating with the Smappee cloud over the internet.

Still, the Smappee Monitors, as well as the other Smappee Distributed Devices, are intended and designed to be used and operated in secure private local networks. An unauthorized or untrustworthy intruder to your local network may compromise the security of all your connected systems, including the Smappee Monitors, and gain unauthorized access to your personal data.

We strongly recommend to protect your local network and Wi-Fi network.

11. Your rights

In this Section, we have summarized the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

You may exercise any of your rights in relation to your personal data by written notice to

Smappee NV, c/o DPO, Evolis 100, 8500 Kortrijk, Belgium

or by contacting us by email, as described in section "Questions and Requests" on page 23.

Your principal rights under data protection law are:

the right to access

the right to rectification

the right to erasure

the right to restrict processing

the right to object to processing

the right to data portability

the right to complain to a supervisory authority

the right to withdraw consent

11.1 The right to access

You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

11.2 The right to rectification

You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.

11.3 The right to erasure

In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defense of legal claims.

11.4 The right to restrict processing

In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defense of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

11.5 The right to object to processing

You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.

You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.

11.6 The right to data portability

To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

11.7 The right to complain to a supervisory authority

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

11.8 The right to withdraw consent

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

12. Amendments

We may update this policy from time to time by publishing a new version on our website.

You should check this page occasionally to ensure you are happy with any changes to this policy.

13. Questions and Requests

If you are a user of a Smappee product and have any requests regarding your personal data, or

if you would like to exercise your rights, or

if you wish to update the information we have about you or your preferences,